Wednesday, October 5, 2016

Microsoft Advanced Threat Analytics (ATA) is an user and entity behavior analytics solution to identify and protect protect organizations from advanced targeted attacks (APTs). You can read more information about Microsoft Advanced Threat Analytics (ATA) here. The purpose of this blog is to provide a few methods which can be used to simulate and demonstrate some of the basic attacks for demo and testing purpose.Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating
We will start with the most obvious one! – ATA communication issue. In this scenario, I am using ATA Light Weight Gateway(LWGW). In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers.
To simulate this scenario,

Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.

DsQuery Server -Forest

Stop the ATAGateway service remotely

Here are a few scripts - Script1 or Script2 or Script3 – if you want to go a script based approach

Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway

You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center. Suspicious Activity Simulation #2- Honey Token Account Activities
In general, the Honey Token accounts are non-interactive accounts. These accounts can be dummy accounts for detect malicious activities.
To simulate this scenario,

Establish an integrative logon session using these accounts. You can RDP into a machine use these accounts

Honey Token accounts (non-sensitive)
You will receive the following alert/email with recommended actions in the ATA console. Honey Token accounts (Sensitive)
Since ATA-Test2 account is a domain admin account, you will receive the same alert with "Sensitive (S )" indicating that this account is a high privileged account in Active Directory. Suspicious Activity Simulation #3– Massive Object Deletion
Bulk object deletion can be a suspicious activity in an Active Directory environment. ATA can alert alert you based on massive object deletion activities.
To simulate this scenario,

Create a few users in Active directory. Here is a sample PowerShell script which you can use to create test accounts in Active Directory

You will receive the Massive Object Deletion alert in the ATA console right away as shown below. Suspicious Activity Simulation #4 - Reconnaissance using DNS
The DNS or name resolution information in a network would be useful reconnaissance information. In general, DNS data contains a list of all the servers and workstations and the mapping to their IP addresses. Verifying this information may provide attackers with a detailed view of the environment allowing attackers to focus their efforts on the relevant entities.
For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command.
To simulate this scenario,